summaryrefslogtreecommitdiffstats
path: root/usr.bin/ssh/scp.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* highly polished whitespace, mostly fixing spaces-for-tab and baddjm2021-04-031-4/+3
| | | | indentation on continuation lines. Prompted by GHPR#185
* use the new variant log macros instead of prepending __func__ anddjm2020-10-181-3/+3
| | | | appending ssh_err(r) manually; ok markus@
* allow -A to explicitly enable agent forwarding in scp and sftp. Thedjm2020-08-031-4/+7
| | | | | default remains to not forward an agent, even when ssh_config enables it. ok jmc dtucker markus
* Fix error message on close(2) and add printf format attributes.millert2020-05-291-4/+7
| | | | From Christos Zoulas, OK markus@
* another case where a utimes() failure could make scp send adjm2020-05-061-4/+2
| | | | | desynchronising error; reminded by Aymeric Vincent ok deraadt markus
* when receving a file in sink(), be careful to send at most a singledjm2020-05-011-37/+59
| | | | | | | | error response after the file has been opened. Otherwise the source() and sink() can become desyncronised. Reported by Daniel Goujot, Georges-Axel Jaloyan, Ryan Lahfa, and David Naccache. ok deraadt@ markus@
* run the 2nd ssh with BatchMode for scp -3markus2020-04-301-1/+2
|
* Replace all calls to signal(2) with a wrapper around sigaction(2).dtucker2020-01-231-11/+11
| | | | | | This wrapper blocks all other signals during the handler preventing races between handlers, and sets SA_RESTART which should reduce the potential for short read/write operations.
* Fix potential truncation warning. ok deraadt.dtucker2019-09-091-2/+2
|
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-12/+12
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* when checking that filenames sent by the server side match what thedjm2019-02-101-12/+270
| | | | | | | | client requested, be prepared to handle shell-style brace alternations, e.g. "{foo,bar}". "looks good to me" millert@ + in snaps for the last week courtesy deraadt@
* add -T to usage();jmc2019-01-271-2/+2
|
* check in scp client that filenames sent during remote->local directorydjm2019-01-261-9/+30
| | | | | | | | | | | | | | copies satisfy the wildcard specified by the user. This checking provides some protection against a malicious server sending unexpected filenames, but it comes at a risk of rejecting wanted files due to differences between client and server wildcard expansion rules. For this reason, this also adds a new -T flag to disable the check. reported by Harry Sintonen fix approach suggested by markus@; has been in snaps for ~1wk courtesy deraadt@
* Have progressmeter force an update at the beginning and end of eachdtucker2019-01-241-2/+2
| | | | | transfer. Fixes the problem recently introduces where very quick transfers do not display the progressmeter at all. Spotted by naddy@
* Sanitize scp filenames via snmprintf. To do this we move thedtucker2019-01-231-1/+2
| | | | | | progressmeter formatting outside of signal handler context and have the atomicio callback called for EINTR too. bz#2434 with contributions from djm and jjelen at redhat.com, ok djm@
* Add a -J option as a shortcut for -o Proxyjump= to scp(1) and sftp(1)tb2019-01-211-3/+5
| | | | | | to match ssh(1)'s interface. ok djm
* disallow empty incoming filename or ones that refer to the currentdjm2018-11-161-2/+3
| | | | directory; based on report/patch from Harry Sintonen
* Apply umask to all incoming files and directories not just files.dtucker2018-06-011-1/+3
| | | | | This makes sure it gets applied to directories too, and prevents a race where files get chmodded after creation. bz#2839, ok djm@
* lots of typos in comments/docs. Patch from Karsten Weiss after checkingdjm2018-04-101-2/+2
| | | | with codespell tool (https://github.com/lucasdemarchi/codespell)
* Disable RemoteCommand and RequestTTY in the ssh session started bydjm2018-02-101-1/+3
| | | | | scp. sftp is already doing this. From Camden Narzt via github; ok dtucker
* Add helper function for uri handing in scp where a missing pathmillert2017-12-181-11/+36
| | | | | simply means ".". Also fix exit code and add warnings when an invalid uri is encountered. OK otto@
* Add URI support to ssh, sftp and scp. For example ssh://user@hostmillert2017-10-211-94/+105
| | | | | | | or sftp://user@host/path. The connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses md5 with no way to specify the hash function type. OK djm@
* Switch to recallocarray() for a few operations. Both growth and shrinkagederaadt2017-05-311-6/+2
| | | | | | are handled safely, and there also is no need for preallocation dances. Future changes in this area will be less error prone. Review and one bug found by markus
* remove options -12 from usage();jmc2017-05-021-2/+2
|
* exterminate the -1 flag from scpdjm2017-04-301-1/+5
| | | | ok markus@
* Avoid relying on implementation-specific behavior when detectingmillert2017-04-281-6/+13
| | | | | | whether the timestamp or file size overflowed. If time_t and off_t are not either 32-bit or 64-bit scp will exit with an error. OK djm@
* Avoid potential signed int overflow when parsing the file size.millert2017-04-271-4/+9
| | | | Use strtoul() instead of parsing manually. OK djm@
* Add MAXIMUM(), MINIMUM(), and ROUNDUP() to misc.h, then use those definitionsderaadt2016-09-121-4/+3
| | | | | rather than pulling <sys/param.h> and unknown namespace pollution. ok djm markus dtucker
* To prevent screwing up terminal settings when printing to theschwarze2016-05-251-17/+28
| | | | | | | | | | | | | | | | | | | | | terminal, for ASCII and UTF-8, escape bytes not forming characters and bytes forming non-printable characters with vis(3) VIS_OCTAL. For other character sets, abort printing of the current string in these cases. In particular, * let scp(1) respect the local user's LC_CTYPE locale(1); * sanitize data received from the remote host; * sanitize filenames, usernames, and similar data even locally; * take character display widths into account for the progressmeter. This is believed to be sufficient to keep the local terminal safe on OpenBSD, but bad things can still happen on other systems with state-dependent locales because many places in the code print unencoded ASCII characters into the output stream. Using feedback from djm@ and martijn@, various aspects discussed with many others. deraadt@ says it should go in now, i probably already hesitated too long
* Improve accuracy of reported transfer speeds by waiting for the ack fromdtucker2016-03-021-5/+5
| | | | the other end. Pointed out by mmcc@, ok deraadt@ markus@
* pledge "stdio rpath wpath cpath fattr tty proc exec" except for thederaadt2015-11-271-1/+11
| | | | | -p option (which sadly has insane semantics...) ok semarie dtucker
* 0 -> NULL when comparing with a char*.mmcc2015-10-161-2/+2
| | | | ok dtucker@, djm@.
* rename xrealloc() to xreallocarray() since it follows that form.deraadt2015-04-241-2/+2
| | | | ok djm
* Replace <sys/param.h> with <limits.h> and other less dirty headers wherederaadt2015-01-161-4/+5
| | | | | | | | | possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
* when copying local->remote fails during read, don't send uninitialiseddjm2014-06-241-3/+7
| | | | heap to the remote end. Reported by Jann Horn
* unsigned casts for ctype macros where neccessaryderaadt2013-11-201-3/+3
| | | | ok guenther millert markus
* improved time_t overflow check suggested by guenther@djm2013-06-221-3/+5
|
* make this -Wsign-compare clean after time_t conversiondjm2013-06-211-3/+3
|
* Handle time_t values as long long's when formatting them and whenguenther2013-06-171-25/+38
| | | | | | | parsing them from remote servers. Improve error checking in parsing of 'T' lines. ok dtucker@ deraadt@
* use MAXPATHLEN for buffer size instead of fixed value. ok markusdtucker2013-06-041-2/+2
|
* Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is. Patchdtucker2013-06-011-2/+2
| | | | from Nathan Osman via bz#2085. ok deraadt.
* bye, bye xfree(); ok markus@djm2013-05-171-12/+10
|
* Fix some "unused result" warnings found via clang and -portable. ok markus@dtucker2013-05-161-2/+2
|
* suppress adding '--' to remote commandlines when the first argumentdjm2011-09-091-5/+9
| | | | | does not start with '-'. saves breakage on some difficult-to-upgrade embedded/router platforms; feedback & ok dtucker ok markus
* scp.1: grammer fixjmc2010-12-091-2/+2
| | | | scp.c: add -3 to usage()
* add a new -3 option to scp: Copies between two remote hosts aremarkus2010-12-081-3/+86
| | | | | transferred through the local host. Without this option the data is copied directly between the two remote hosts. ok djm@ (bugzilla #1837)
* Pass through ssh command-line flags and options when doing remote-remotedjm2010-11-261-10/+22
| | | | | transfers, e.g. to enable agent forwarding which is particularly useful in this case; bz#1837 ok dtucker@
* add an option per-read/write callback to atomiciodjm2010-09-221-99/+22
| | | | | | | | | factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism add a bandwidth limit option to sftp(1) using the above "very nice" markus@
* Fix a longstanding problem where if you suspend scp at themillert2010-07-011-1/+19
| | | | | password/passphrase prompt the terminal mode is not restored. OK djm@
* When passing user-controlled options with arguments to other programs,guenther2009-12-201-7/+14
| | | | | | | | | | | | pass the option and option argument as separate argv entries and not smashed into one (e.g., as -l foo and not -lfoo). Also, always pass a "--" argument to stop option parsing, so that a positional argument that starts with a '-' isn't treated as an option. This fixes some error cases as well as the handling of hostnames and filenames that start with a '-'. Based on a diff by halex@ ok halex@ djm@ deraadt@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.